SRX

Expand all | Collapse all

SRX320 filter base forwarding with Nat on routing instance issue

Jump to Best Answer
  • 1.  SRX320 filter base forwarding with Nat on routing instance issue

    Posted 11-28-2018 08:29

    Dear all,
    i need help in configuring SRX320 (15.1X49-D150) filter base forwarding with Nat on routing instance.

    I have ISP1-via pp0.0 and ISP2- via ge-0/0/1(131.1.1.201) which connected to ADSL modem(131.1.1.200).
    All port forwarding on the adsl modem goes to Ge-0/0/1 of the srx.

    i need ip address(10.78.1.250) in the turst zone(Ge-0/0/2) to use directly ISP2.
    Things goes well with the below commands in addition to to need policy and source nat from Trust to ISP2 for 10.78.1.250 using egress interface.

    set interfaces ge-0/0/2 unit 0 family inet filter input webFilter
    set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32
    set firewall family inet filter webFilter term 1 then routing-instance webtraffic
    set firewall family inet filter webFilter term 2 then accept
    set routing-instances webtraffic instance-type forwarding
    set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 131.1.1.200
    set routing-options interface-routes rib-group inet FBF-rib
    set routing-options rib-groups FBF-rib import-rib inet.0
    set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0

    Above makes the ip address 10.78.1.250 successfully to use only ISP2.
    Now i need Nat(port forwarding) from Internet to this ip address (10.78.1.250)
    i make static nat also Destination nat from ISP2 zone or interface (Ge-0/0/1) then destination IP of Ge-0/0/2-(131.1.1.201) to internal prefix ip (10.78.1.250).

    it doesnt work.
    How can i make nat to work as explained above????



  • 2.  RE: SRX320 filter base forwarding with Nat on routing instance issue

    Posted 11-28-2018 09:08

    Hi,

    Please share your NAT configuration which is not working

     



  • 3.  RE: SRX320 filter base forwarding with Nat on routing instance issue

    Posted 11-30-2018 17:01

    Hi and thanks for your replay,

    Please find below for the expained scenario:

     

    We have all Trust users goes internet via ISP1(pp0.0) except one ip (10.78.1.250) must go via ISP2 (ge-0/0/1 connected to ADSL modem).

    This done successfully using Filter Base forwarding as below- using forwarding instance-type.

     

    set interfaces ge-0/0/2 unit 0 family inet filter input webFilter                      (ge-0/0/2=10.78.1.1=Trust)

    set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32

    set firewall family inet filter webFilter term 1 then routing-instance webtraffic

    set firewall family inet filter webFilter term 2 then accept

    set routing-instances webtraffic instance-type forwarding

    set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 131.1.1.200 (adsl modem)

    set routing-options static route 0.0.0.0/0 next-hop pp0.0

    set routing-options interface-routes rib-group inet FBF-rib

    set routing-options rib-groups FBF-rib import-rib inet.0

    set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0

    set security nat source rule-set FB from zone Trust

    set security nat source rule-set FB to zone ISP2

    set security nat source rule-set FB rule R1 match source-address 10.78.1.250/32

    set security nat source rule-set FB rule R1 match destination-address 0.0.0.0/0

    set security nat source rule-set FB rule R1 then source-nat interface

     

    The same ip (10.78.1.250) configured with static nat to allow traffic to it from ISP2.

    Traffic comes to ADSL modem-->nat to SRX Ge-0/0/1(ISP2 zone). Static nat is configured from ISP2 zone then destination IP of Ge-0/0/1-(131.1.1.201) to internal prefix ip (10.78.1.250).

     

    What needs to be modified to make the static nat works fine as below doesn’t work-(Needed Security policies configured too omitted)

     

    set security nat static rule-set FB1 from zone ISP2

    set security nat static rule-set FB1 rule ru1 match destination-address 131.1.1.201/32 (srx-ge-0/0/1port)

    set security nat static rule-set FB1 rule ru1 match destination-port 134

    set security nat static rule-set FB1 rule ru1 then static-nat prefix 10.78.1.250/32

    set security nat static rule-set FB1 rule ru1 then static-nat prefix mapped-port 134

     

    I tried also to configure the routing instance type as virtual router, also do the static nat from instance route instead of ISP2 zone but not worthy.

     

    Can the instance-type configured as virtual-router and add to it the ISP2 port (ge-0/0/1) and static nat?? Without adding the Trust interface (ge-0/0/2)????

     

    Thanks and Regard,



  • 4.  RE: SRX320 filter base forwarding with Nat on routing instance issue

     
    Posted 12-01-2018 04:52

    I see that the address used for the server is not the same as the interface address but is in the same subnet.

    131.1.1.201-- nat address

    131.1.1.20--interace address

     

    Is proxy arp enabled for the nat address on the SRX interface?

    This is needed for this situation.

     

    If it is already on, when you make the connection attempt can you look at the sesssion table at the same time to see which policy and nat action is take by the SRX.  Use the public source address your inbound connection attempt is coming from to see how the SRX matches the traffic.

    show security flow session source-prefix x.x.x.x

     



  • 5.  RE: SRX320 filter base forwarding with Nat on routing instance issue

    Posted 12-01-2018 05:11

    Hi Puluka,

    thanks for replay. i dont see in my post that there is an ip address 131.1.1.20.

    However, the nat address and the interface ip address ge-0/0/1 are the same= 131.1.1.201. So am not using a proxy arp.

    Is there any other sugession to solve my issue??

     

    regards,



  • 6.  RE: SRX320 filter base forwarding with Nat on routing instance issue

     
    Posted 12-01-2018 09:55

    If the nat address is the same as the interface then proxy arp is not needed.

     

    Please do run the session viewer to see what policy your inbound connection attempts are hitting. This will also show the nat rules that are engaged.  If they are hitting the incorrect policy or nat rule we will see which one and can look at the policy details and ordering to adjust and move policies to have the desired effect.

     

    If no session is created than the policies are not correct so they we will need to see the whole policy stack to determine why.

     



  • 7.  RE: SRX320 filter base forwarding with Nat on routing instance issue

    Posted 12-03-2018 05:34

    Hi,

    Your configuration looks good and the static nat should work. Are you sure that the traffic is hitting srx?

    Please enable flow traceoption and initiate traffic to see where the packet is getting dropped

    1. Enable flow trace:

    set security flow traceoptions file FLOW.log size 10m

    set security flow traceoptions flag packet-drops

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter p1 source-prefix <ip address of the outside PC from where traffic is initiated>

    set security flow traceoptions packet-filter p2 destination-prefix <ip address of the outside PC from where traffic is initiated>

    commit

    2. Initiate traffic from outside (ISP2)

    3. Remove flow trace options

    delete security flow traceoptions

    4. Analyze the FLOW.log or share with us

    show log FLOW.log | match "p[12]|permit|drop|policy"

     



  • 8.  RE: SRX320 filter base forwarding with Nat on routing instance issue
    Best Answer

    Posted 12-03-2018 06:08

    Hi,

    it works after adding the routing instance to the static nat and also add the routing instance to the interface connected to ISP2.